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DEPENDENT  TYPES  AND  EXPLICIT  SUBSTITUTIONS 


CESAR  MUNOZ* 

Abstract.  We  present  a  dependent-type  system  for  a  A-calculus  with  explicit  substitutions.  In  this 
system,  meta- variables,  as  well  as  substitutions,  are  first-class  objects.  We  show  that  the  system  enjoys 
properties  like  type  uniqueness,  subject  reduction,  soundness,  confluence  and  weak  normalization. 

Key  words,  explicit  substitutions,  dependent  types,  lambda-calculus 

Subject  classification.  Computer  Science 

1.  Introduction.  Since  the  Acr-calculus  of  explicit  substitutions  was  introduced  in  [1],  several  other 
variants  of  explicit  substitution  calculi  have  been  proposed;  among  others  [38,  27,  20,  4,  28,  7,  24,  31,  10,  33]. 
By  using  substitutions  as  first-class  objects,  and  de  Bruijn  indices  notation  for  variables,  the  Acr-calculus 
allows  a  first-order  encoding  of  the  A-calculus.  In  consequence,  technical  nuisances  due  to  higher-order 
aspects  of  the  A-calculus,  for  example  a-conversion,  can  be  minimized  or  eliminated  in  explicit  substitution 
calculi.  For  instance,  higher-order  unification  problems  have  been  reformulated  in  a  first-order  setting  via 
some  variants  of  Acr  [8,  9,  25,  5]. 

However,  explicit  substitutions  are  not  free  of  difficulties.  Typed  versions  of  these  calculi  lead  to  unex¬ 
pected  problems.  It  is  well  known  now  that.Acr  does  not  preserve  strong  normalization  [30],  that  is,  well-typed 
terms  may  not  terminate  in  Acr.  Furthermore,  as  a  rewrite  system,  Act  is  not  confluent  on  open  terms  [7]. 

In  constructive  logic,  explicit  substitutions  and  open  terms  form  a  framework  to  represent  incomplete 
proofs ,  i.e.,  proofs  under  development  [29,  32].  In  this  approach,  meta-variables  are  place-holders  in  a 
proof-term,  and  an  explicit  substitution  notation  is  necessary  to  delay  the  application  of  substitutions  to 
meta- variables  waiting  to  be  instantiated.  Met  a- variables  have  also  been  used  as  unification  variables  in  the 
higher-order  unification  methods  presented  in  [8,  9,  25]. 

In  order  to  apply  explicit  substitution  techniques  in  a  dependent-type  framework,  we  develop  a  A-calculus 
of  explicit  substitutions,  called  AIl£,  with  dependent  types  and  support  for  meta- variables. 

The  rest  of  this  section  gives  an  overview  of  the  dependent-type  theory  in  which  we  are  interested,  and 
to  the  simply- typed  version  of  A<r.  We  finish  the  section  with  a  discussion  about  the  main  difficulties  to 
set  the  Acr-calculus  in  a  dependent-type  theory.  In  Section  2  we  present  the  All^-calculus.  Just  as  the 
A-calculus  extended  with  the  77-rule,  which  is  not  confluent  on  terms  with  type  annotations  (not  necessarily 
well-typed),  All c  is  not  confluent  due  to  type  annotations  on  substitutions.  However,  using  a  technique 
proposed  by  Geuvers  in  [11],  we  prove  that  it  is  confluent  on  well-typed  expressions.  We  show  how  to  adapt 
Geuvers’  technique  to  An^  in  Section  3.  In  Section  4  we  show  the  elementary  typing  properties  of  An^:  sort 
soundness,  type  uniqueness,  subject  reduction  and  soundness.  In  Section  5  we  prove  the  main  properties 
on  well-typed  An^-expressions:  weak  normalization,  Church-Rosser,  and  confluence.  In  the  last  section  we 
discuss  related  work  and  summarize  our  work. 

*  Institute  for  Computer  Applications  in  Science  and  Engineering,  Mail  Stop  132C,  NASA  Langley  Research  Center,  Hampton, 
VA  23681-2199,  email:  munoz@icase.edu.  This  research  was  supported  by  INRIA  -  Rocquencourt  while  the  author  was  an 
international  fellow  at  the  INRIA  institute,  and  by  the  National  Aeronautics  and  Space  Administration  under  NASA  Contract 
NAS  1-97046  while  he  was  in  residence  at  the  Institute  for  Computer  Applications  in  Science  and  Engineering  (ICASE),  NASA 
Langley  Research  Center,  Hampton,  VA  23681-2199. 
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1.1.  Dependent  types.  The  Dependent  Type  theory,  namely  All  [18],  is  a  conservative  extension  of 
the  simply-typed  A-calculus.  It  allows  a  finer  stratification  of  terms  by  generalizing  the  function  space  type. 
In  fact,  in  All,  the  type  of  a  function  A x:A.M  is  Ux:A.B  where  B  (the  type  of  M)  may  depend  on  x .  Hence, 
the  type  A  B  of  the  simply-typed  A-calculus  is  just  a  notation  in  All  for  the  product  Ux:A.B  where  x 
does  not  appear  free  in  B. 

From  a  logical  point  of  view,  the  All-calculus  allows  representation  of  proofs  in  the  first-order  intu- 
itionistic  logic  using  universal  quantification.  Via  the  types-as-proofs  principle,  a  term  of  type  Ux.A.B  is  a 
proof-term  of  the  proposition  Vx:A.B. 

Terms  in  All  can  be  variables  £,?/,...,  applications  (M  V),  abstractions  A x:A.M,  products  Ux.A.B, 
or  one  of  the  sorts  Type ,  Kind.1  Notice  that  terms  and  types  belong  to  the  same  syntactical  category. 
Thus,  Ux.A.B  is  a  term,  as  well  as  Xx:A.M.  However,  terms  are  stratified  in  several  levels  according  to 
a  type  discipline.  For  instance,  given  an  appropriate  context  of  variable  declarations,  A x\A..M  :  Ux:A..B , 
Ux:A..B  :  Type ,  and  Type  :  Kind.  The  term  Kind  cannot  be  typed  in  any  context,  but  it  is  necessary  since 
a  circular  typing  as  Type  :  Type  leads  to  the  Girard’s  paradox  [15]. 

Typing  judgments  in  An  have  the  form 


Fh  M  :A 

where  T  is  a  context  of  variable  declarations,  that  is,  a  set  of  type  assignments  for  free  variables.  We  use  the 
Greek  letters  T,  A  to  range  over  contexts.  Since  types  may  be  ill-typed,  typing  judgments  for  valid  contexts 
are  also  necessary.  The  notation 


hr 

captures  that  types  in  T  are  well- typed.  The  An-type  system  is  given  in  Fig.  1.1. 

In  a  higher-order  logic,  as  An,  it  may  happen  that  two  syntactically  different  types  become  identical  via 
/^-conversion.  Rule  (Conv)  uses  the  equivalence  relation  =£  which  is  defined  as  the  reflexive  and  transitive 

closure  of  the  relation  induced  by  the  /3-rule:  (A x:A.M  N)  - ►  M[N/x].  We  recall  that  M[N/x]  is  just 

a  notation  for  the  atomic  substitution  of  the  free  occurrences  of  x  in  M  by  N,  with  renaming  of  bound 
variables  in  M  when  necessary. 

1.2.  Explicit  substitutions  and  simple  types.  The  Aa-calculus  [1]  is  a  first-order  rewrite  system 
with  two  sorts  of  expressions:  terms  and  substitutions. 

Simple  types  are  generated  from  a  denumerable  set  of  basic  types  a,  b, . . .  and  their  functional  closure, 
i.e.,  if  A ,  B  are  simple  types,  then  A  — >  B  is  also  a  simple  type.  Well-formed  expressions  in  the  simply-typed 
Atr-calculus  are  defined  by  the  following  grammar: 

Terms  M,N  1  |  (M  N)  \  XA.M  |  M[S] 

Substitutions  S,T  ::=  id  |  f  |  M  •  S  |  S  o  T 

Types  A,B  ::=  a,b,...\A^B 

In  Act,  free  and  bound  variables  are  represented  by  de  Bruijn  indices.  They  are  encoded  by  means  of  the 

n-times 

constant  1  and  the  substitution  We  write  f”  as  a  shorthand  for  f  °  •  •  •  °  T-  We  overload  the  notation  i  to 

'The  names  Type  and  Kind  are  not  standard,  other  couples  of  names  used  in  the  literature  are:  (Set,  Type),  (Prop, Type) 
and  (*,□). 
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(Var-Decl) 


j_  ||  (Empty) 


T\~A:s 


s  €  {Kind,  Type} 

x  is  a  fresh  variable 
F  T  U  {x  :  A\ 


hr 

r  h  Type  :  Kind 


(Type) 


hr 


(x  :  A)  G  r 
Th  x  :A 


(Var) 


r  h  A  :  Type 
x  does  not  appear  in  T 
r  U  {x  :  A}  h  B  :  s 
s  E  {Kind,  Type} 
r  h  Hx.A.B  :  s 


(Prod) 


r  h  A:  Type 
x  does  not  appear  in  T 
T  U  {x  :  A}  h  M  :  B 
T  U  {x  :  A}  h  B  :  s 
s  €  {Kind,  Type} 
r  h  A x:A.M  :  Ux:A.B~ 


(Abs) 


ThM:  A 
rh  B:s 

r  h  M:  Ux:A.B  s  €  {Kind,  Type} 

T\-N:A  /A  1X  A~pB  tn  x 

r  h  (M  TV)  :  A[N/x\  (Appl)  r  b  M  :  B  (Conv) 

Fig.  1.1.  The  AIT -system 


represent  the  Acr-term  corresponding  to  the  index  i,  i.e., 


1  if  i  =  1 
l[tn]  ifi  =  n  +  l. 


An  explicit  substitution  denotes  a  mapping  from  indices  to  terms.  Thus,  id  maps  each  index  i  to  the 
term  i,  t  maps  each  index  i  to  the  term  i  +  1,  S  o  T  is  the  composition  of  the  mapping  denoted  by  T  with 
the  mapping  denoted  by  5  (notice  that  the  composition  of  substitution  follows  a  reverse  order  with  respect 
to  the  usual  notation  of  function  composition),  and  finally,  M  •  S  maps  the  index  1  to  the  term  M,  and 
recursively,  the  index  i  4*  1  to  the  term  mapped  by  the  substitution  S  on  the  index  i. 

A  context  in  Xa  is  a  list  of  types.  The  empty  context  is  written  e.  A  context  with  head  A  and  rest  T  is 
written  AT.  In  that  case,  A  is  the  type  of  the  index  1,  the  head  of  V  (if  T  is  not  empty)  is  the  type  of  the 
index  2,  and  so  on. 

The  type  of  a  substitution  is  a  context.  This  choice  seems  natural  since  substitutions  denote  mapping 
from  indices  to  terms,  and  contexts  are  list  of  types.  In  fact,  if  the  type  of  a  substitution  S  is  the  context 
A. A,  the  type  of  the  term  mapped  by  the  substitution  S  on  the  index  1  is  A,  and  so  for  the  rest  of  indices. 
Typing  judgment  for  substitutions  in  A  a  have  the  form: 


T  h  5  >  A. 


The  Acr-calculus  and  its  typing  rules  are  presented  in  Fig.  1.2.  When  meta- variables  of  terms  are 
considered,  an  additional  typing  rule  is  necessary  to  state  that  each  met  a- variable  is  typed  in  a  unique 
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(A a.M  N) 
(M  N)[S ] 
(A^.M)[5] 
M[S][T } 

1  [M  ■  S } 
M[id\ 

(S1oS2)oT 
(M  ■  S)  oT 
id  o  S 
S  o  id 
to  (M-S) 
1-t 

I[5]-(to5) 


M[N  ■  id] 

(M[S]  N[S\) 

Aa-M[1  •  (5  o  t)] 

m[s  o  r] 

M 

M 

Si  o  (S2  o  T) 
M[T]  ■  (S  o  T) 

S 

S 

S 


id 


S 


(Beta) 

(Application) 

(Lambda) 

(Clos) 

(VarCons) 

(Id) 

(Ass) 

(Map) 

(idi) 

(Idr) 

(ShiftCons) 

(VarShift) 

(SCons) 


AT  F  1  :  A  (Vai) 


AT  b  M  :  B 
r  h  A a.M  :  A  B 


(Abs) 


ThM:A^B  T\-N:A 
I’  F  (M  A)  :  B 


(Appl) 


rb5>A  Ah  M:A 
r  F  M[S\  :  A 


(Clos) 


r  h  id  >  r (Id) 

r  h  5  >  Ai  Ai  h  T  >  A2 

r  h  t  o  s »  a2 


(Comp) 


at h  t  >  r 


(Shift) 


r  h  M  :  A  r  h  S  >  A  s 
r  h  M  •  5  >  A.A  (Cons) 


Fig.  1.2.  The  simply-typed  A  a -calculus  [1] 


context  by  a  unique  type  [8]: 


Tx  F  X  :  Ax  (Meta*)- 


The  simply-typed  Aer-calculus  with  meta-variables  of  terms  is  confluent  [38]  and  weakly  normalizing 
[17,  33]. 

1.3.  Dependent  types  and  explicit  substitutions.  A  dependent-type  system  for  \Hc  is  not  a  simple 
extension  of  the  simply-typed  Acr-calculus.  First  of  all,  it  is  not  clear  how  to  type  expressions  containing 
meta-variables.  Notice  that  in  a  dependent-type  theory  with  de  Bruijn  indices,  the  order  in  which  variables 
are  declared  in  a  context  is  important.  In  fact,  in  the  context  AT,  the  indices  in  A  are  relative  to  T.  But, 
how  is  the  dependence  regarding  meta- variables? 

Even  without  considering  met  a- variables,  setting  Act  in  a  dependent-type  theory  presents  difficulties. 
Take,  for  example,  the  typing  rule  for  simultaneous  substitutions,  the  (Cons)-rule: 

T  \~  M  :  A  r  h  S  t>  A  x 
r  h  M  ■  S  >  A.A  (Cons)- 


4 


A  dependent-typed  version  of  this  rule  has  the  form 


r  b  M  :  A[S]  r  h  5  >  A  A  h  A  :  Type 
T  h  M  *  S  >  AA 


(Consn). 


First  notice  that  the  type  given  to  M  in  the  premises  of  the  rule  is  A[S]  (up  to  conversion).  The  application 
of  the  substitution  S  to  the  type  A  is  necessary  to  take  into  account  possible  dependencies  of  variables  in  A 
with  terms  in  S.  Hence,  a  type  inference  algorithm  should  use  a  higher-order  unification  procedure  to  infer 
the  type  of  M  •  S  which  depends  on  A. 

Another  drawback  of  (Consn)  is  that  it  is  not  sound  with  respect  to  the  usual  typing  properties.  In 
particular,  a  substitution  can  be  typed  with  two  contexts  that  are  not  convertible,  i.e.,  types  are  not  unique 
modulo  conversion.  For  example,  consider  the  context2 

T  =  0 mat.  l:(Un:nat,(T  n)).  T:nat  -►  Type .  nat:Type 
and  the  valid  typing  judgments 


(1.1) 


r  h  [x  :=  0  ♦  id\  >  x:nat .  T 


(1.2) 


r  b  (/  0)  :  (T  x)[x  :=0  -id}. 


Since  ( T  x)[x  :=  0  *  id]  and  (T  0)[x  :=Q-id\  are  convertible  via  Act,  and  (T  0)[a;  :=  0  •  id\  is  a  valid  type, 
we  also  have: 

(1.3)  T\-(l0):(T0)[x:=0-id\. 

Using  (Consn)  with  (Eq.  1.1)  and  (Eq.  1.2),  we  get: 

(1.4)  r  h  [y  :=  (l  0)  •  z  :=  0  •  id\  >  y:{T  0).  x:nat  T 
and  with  (Eq.  1.1)  and  (Eq.  1.3): 

(1.5)  r  h  [y  :=  (J  0)  •  x  :=  0  *  id\  >  y:(T  x).  x:nat .  T. 

However,  (T  0)  and  (T  x)  are  not  convertible,  and  then,  the  substitution  [y  :=  (l  0)  •  x  :=  0  *  id\  has  two 
types,  y:(T  0).  x:nat.  T  and  y:(T  x).  x:nat.  T,  which  are  not  convertible. 

To  solve  these  problems,  we  use  type  annotations  in  substitutions,  in  a  similar  way  as  the  Church  style 
A-calculus  — as  opposed  to  the  Curry  style —  annotates  binder  variables  in  abstractions.  The  final  version 
of  (Consn)  has  the  form: 

F  h  M  :  A\S]  F  h  5  >  A  Ah  A:  Type 

T  \-  M  -A  S  >  A. A  1  n;‘ 

Annotations  in  substitutions  act  as  reminders  of  types,  and  they  must  be  introduced  and  maintained  by  the 
calculus  of  substitutions.  In  our  previous  example,  substitutions  in  Eq.  1.4  and  Eq.  1.5  should  be  annotated 
with  different  types. 


2 For  readability,  we  use  named  variables  when  discussing  examples.  Nevertheless,  as  we  have  said,  Acr  uses  a  de  Bruijn 
nameless  notation  of  variables. 
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A  different  solution  proposed  by  Bloo  in  [2]  is  to  introduce  substitutions  in  contexts  and  to  deal  with 
these  extended  contexts  via  additional  typing  rules.  This  approach  is  similar  to  type  systems  with  definitions 
[41,  3],  where  closures  are  typeable,  but  substitutions  are  not  considered  as  typeable  objects.  We  discuss 
this  approach  in  the  last  section. 

When  we  consider  annotated  substitutions,  the  system  may  lose  the  subject  reduction  property  due  to 
the  non-left-linear  rule  (SCons):  1[S]  • a  (t 0  S)  - -  S.  For  instance,  take  the  context 

T  =  m:(T  0)  -4  nat.  0 mat.  l:(Un:nat.(T  n)).  T:nat  -4  Type.  nat:Type 
and  the  substitution 


—  [y  {l  0)  -(71  o)  £  0  * nat  ^]. 

We  verify  that  the  following  typing  judgments  are  valid: 

T  b  S  >  y:(T  0).  x:nat.  T 


T  b  1  [S]  *(t  x)  (t  °  S)  >  y:(T  x).  x:nat.  T. 

But  also,  1[S]  *(r  x)  (t  °  S)  — - - ^  S .  However,  since  (T  0)  and  (T  x)  are  not  convertible,  V  I / 

S  >y:(T  x).  x:nat.  T.  Therefore,  the  type  of  1  [S]  -(T  x)  (t  o  S )  is  not  preserved  by  rule  (SCons). 

The  problem  here  is  not  the  type  system  but  the  substitution  calculus.  Non-left-linear  rules  — like 
(SCons)—  are  not  only  harmful  for  typing,  but  are  also  usually  responsible  for  non-confluence  problems 
[26,  7]. 

Nadathur  [35]  has  remarked  that  in  A  u  with  met  a- variables  of  terms,  but  without  met  a- variables  of 
substitutions,  rule  (SCons)  is  admissible  when  the  following  scheme  of  rule  is  added  to  the  system:  l[tn]  * 

tn+1  - -  tn-  Since  tn  is  a  shorthand,  an  infinite  set  of  rules  is  represented  by  this  scheme.  Following 

Nadathur’s  idea,  we  present  in  [33]  a  variant  of  A  a,  namely  A  £,  which  has  the  same  general  features  as  Act, 
i.e.,  simple,  finite,  and  first-order  presentation,  but  without  rule  (SCons)  of  Act. 

In  this  paper,  we  propose  the  An^ -calculus,  which  is  based  on  A^,  and  show  that  An^  is  a  suitable 
calculus  for  our  purpose:  explicit  substitutions,  dependent  types  and  support  for  met  a- variables. 

2.  An^- Calculus.  As  usual  in  explicit  substitution  calculi,  expressions  of  An,c  are  structured  in  terms 
and  substitutions .  Since  we  use  the  left-linear  variant  of  Act,  the  A£-calculus,  we  add  the  sort  of  natural 
numbers.  The  AIl£-calculus  admits  meta- variables  only  on  the  sort  of  terms. 

The  set  of  well-formed  expressions  in  All/;  is  defined  by  the  following  grammar: 


Natural  numbers 
Me  t  a- variables 
Terms 


n 

X 

A,B,M,N 


Substitutions  5,  T 


::=  0  |  n  +  1 

::=  X\Y\... 

::=  Kind  \  Type  \  1  \  UA.B  \  A A.M  |  (M  N)  \ 
M[S )  |  X 

::=  f"  \M-aS\SoT 


The  equivalence  relation  =An£  is  defined  as  the  symmetric  and  transitive  closure  of  the  relation  induced 
by  the  rewrite  system  in  Fig.  2.1. 

The  system  He  is  obtained  by  dropping  rule  (Beta)  from  AIl£.  As  shown  by  Zantema  [47],  the  n£- 
calculus  is  strongly  normalizing. 
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(A a.M  N) 
(Aa-M)[5] 
(Ua.B)[S] 

(M  N)  [5] 
M[S][T } 

I [M  -a  S } 

M[ t°] 

(M  S)oT 
foS 

tn+1  o  (M  -a  S) 

-^n+1  Q 

l- A  f 

i[tn]  r+1 

Type[S] 


Lemma  2.1.  The  He -calculus  is  terminating. 

Proof.  See  [34].  The  proof  uses  the  semantic  labeling  technique  [46].  □ 

The  AIl£-calculus,  just  as  A  <r,  uses  the  composition  operation  to  achieve  confluence  on  terms  with 
met  a- variables.  Rules  (Idr)  and  (Ass)  of  A  a  are  not  necessary  in  All  c- 

We  adopt  the  notation  i  as  a  shorthand  for  l[fn]  for  i  =  n  4- 1.  In  contrast  to  A<r,  tn  is  not  a  shorthand 
but  an  explicit  substitution  in  All/:.  Indeed,  t°  replaces  id  and  f1  replaces  t*  In  general,  tn  denotes  the 
mapping  of  each  index  i  to  the  term  i  ±  n.  Using  the  scheme  of  rule  proposed  by  Nadathur  can  be 
encoded  in  a  first-order  rewrite  system.  Notice  that  we  do  not  assume  any  meta-theoretical  property  on 
natural  numbers.  They  are  constructed  with  0  and  n- hi.  Arithmetic  calculations  on  indices  are  embedded 
in  the  rewrite  system. 

2.1.  Meta-variables  in  All/;.  As  we  have  said,  meta-variables  are  first-class  objects  in  All/;.  Just  as 
variables,  they  have  to  be  declared  in  order  to  keep  track  of  possible  dependencies  between  terms  and  types. 

A  meta- variable  declaration  has  the  form  (X:  rA),  where  T  and  A  are,  respectively,  a  context  and  a  type 
assigned  to  the  meta- variable  X.  The  pair  (T,A)  is  unique  (modulo  =An^)  for  each  met  a- variable.  This 
requirement  is  enforced  by  the  type  system. 

A  list  of  meta-variable  declarations  is  called  a  signature.  We  use  the  Greek  letter  S  to  range  over 
signatures.  The  empty  signature  is  written  e.  A  signature  with  head  (X:  rA)  and  rest  E  is  written  (Xr:  rA).  E. 
We  overload  the  notation  Si.  S2  to  write  the  concatenation  of  the  signatures  Ei  and  E2. 

The  order  of  the  meta- variable  declarations  is  important.  In  a  signature  (XiirxAl).  . . .  (Xn:rnAn),  the 
type  Ai  and  the  context  r^,  0  <  i  <  n,  may  depend  only  on  meta- variables  Xj,i  <  j  <n.  The  indices  in  A* 
are  relative  to  the  context  IV 

The  main  operation  on  met  a- variables  is  instantiation.  The  instantiation  of  a  met  a- variable  X  with  a 
term  M  in  an  expression  y  (where  y  is  a  term  or  a  substitution),  denoted  by  y{X  h-*  M},  replaces  all  the 
occurrences  of  X  in  y  by  M.  Application  of  an  instantiation  to  a  context  T  (signature  E)  is  denoted  by 
T{X  ha  M}  (E{X  ha  M}).  It  is  defined  in  the  obvious  way. 


M[N  • A  f] 
\a[S].M[1-a  (S 
nA[s]-B[l-i4  (s 
(■ M[S. }  N[S\) 
M[S  o  T] 

M 

M 

M[T]  -  a  (SoT) 
S 

t"o  S 

Q  ^m+1 

^0 

Type 


of)] 

of)] 


(Beta) 

(Lambda) 

(Pi) 

(Application) 

(Clos) 

(VarCons) 

(Id) 

(Map) 

(IdS) 

(ShiftCons) 

(ShiftShift) 

(ShiftO) 

(ShiftS) 

(Type) 


Fig.  2.1.  The  \U c-rewrite  system 
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In  contrast  to  substitutions  of  variables,  instantiations  of  meta-variables  allow  capturing  of  variables. 
Instantiations  are  not  first-class  objects,  i.e.,  the  application  of  an  instantiation  is  atomic  and  external  to 
the  All/: -calculus. 

2.2.  The  AII/:-type  system.  In  All/:,  we  consider  typing  assertions  having  one  of  the  following  forms: 

hs;r 

to  capture  that  the  context  T  is  valid  in  the  signature  £, 

S;rh  M:  A 

to  capture  that  the  term  M  has  type  A  (the  type  M  has  the  kind  A)  in  £;  T,  and 

£;rbSt>A 

to  capture  that  the  substitution  S  has  the  context  type  A  in  £;  T. 

The  scoping  rules  for  variables  and  meta- variables  in  the  above  type  assertions  are  as  follows.  Contexts 
T,  A,  and  expressions  M,A,S  may  depend  on  any  meta-variable  declared  in  the  respective  signature  E. 
Indices  in  M,  A,  and  S  are  relative  to  their  respective  context  T. 

Typing  rules  for  signatures,  contexts,  terms,  and  substitutions  are  all  mutually  dependent.  They  are 
given  in  Fig.  2.2. 

In  the  following,  we  use  b  E,  b  T,  T  b  M  :  A,  and  T  b  S  >  A  as  shorthands  for  b  E;  e,  b  e;  T,  c;  T  b  M  :  A, 
and  e;  T  b  S  >  A,  respectively. 

Since  there  are  no  typing  rules  for  Kind ,  the  term  Kind  does  not  occur  as  a  sub-term  of  a  well-typed 
expression. 

The  AIl£-system  types  at  least  as  many  terms  as  All.  In  other  words,  XUc  is  a  conservative  extension 
of  An. 

Lemma  2.2  (Conservative  extension).  Let  M,  A  be  ground  terms  in  \nc,  and  T  a  ground  context  such 
that  M,  A,  T  do  not  contain  explicit  substitutions,  then  T  b  M  :  A  in  \Uc  if  and  only  if  T  b  M  :  A  in  An 
(modulo  de  Bruijn  indices  translation). 

Proof  By  induction  on  the  typing  derivation.  □ 

The  following  lemma  states  the  conditions  that  guarantee  the  soundness  of  instantiation  of  meta- variables 
in  An £. 

Lemma  2.3  (Instantiation  soundness).  Let  M  be  a  term  such  that  Ex;T  b  M  :  A,  and  E  a  signature 
having  the  form  E2.  (X:pA).  £i7 

1.  if  b  E;  A,  then  b  £{X  M};  A{X  M }, 

2.  if  E;  A  b  TV  :  B,  then 

£{X  .-4  M};  A{X  h>  M}  b  N{X  M}  :  B{X  ^  M },  and 

3.  if  E;  Ax  b  S  >  A2,  then  E{X  ha  M};  Ax{X  ^  M}  b  S{X  ^  M}  >  A2{X  M}. 

Proof  By  induction  on  the  typing  derivation.  □ 

2.3.  Type  annotations.  Type  annotations  in  substitutions  are  introduced  with  rules  (Beta),  (Lambda), 
and  (Pi),  and  then  propagated  with  rule  (Map).  They  can  also  be  eliminated  with  rules  (VarCons),  (Shift- 

Cons),  and  (ShiftO).  Notice  that  the  type  annotation  propagated  by  rule  (Map):  (M  S)  oT - ►  M[T] 

(5  o  T)  is  A,  not  A[T]. 

Consider  the  following  example. 
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F^(Emp*y) 


s;rh^:s 

s  E  {Kind.  Type} 

X  is  a  fresh  meta- variable 

F IXTFWE 


(Metavar-Decl) 


E;Tb  A:s 

s  e  {Find,  Type} 

- FETAT - (Vax-Decl) 


ps;r 

E;  T  h  Type  :  Kind 


(Type) 


HS;Ar 

E;Arhl:  j4[f] 


(Var) 


E;  r  h  j4  :  Type 
E;  AT  hB:  j 
s  €  {Find,  Type} 
E;  r  h  11,4.5  :  s 


(Prod) 


E;T  h  M  :  11,4. £ 

E;TI -N:A 

E;  T  h  (M  TV)  :  B[N  -a  f°] 


(Appl) 


S;  r  P  A  :  Type 
£;  AT  hM:B 
£;  r  b  ru.£  :  s 

s  £  {Kind,  Type}  /AU  A 
E;  T  h  Xa-M  :  11,4.5  ^ADS; 


E;T  h  5  >  A 
E;AI -M:  A 
E;Ahi:s 

s  6  {Find,  Type} 
E;  T  F  M[5J  :  A[5] 


(Clos) 


EjTI-  S>  A 
E;Ahi:  Kind 
E;  T  h  A[S\  :  Kind 


(Clos-Kind) 


h  E;r 

(X:aA)  €  E 


A  =An£  r 

E;rhl:  A 


(Metavar) 


EjThM:  A 
E;  r  h  5  :  s 
s  G  {Find,  Type} 

^4  =xn£  5 
S;T  h  M  :  B 


(Conv) 


E;rH5>  Ai 
l-£;A2 


Ai  =An£  A2 
E;rhSt>  a2 


(Conv-Subs) 


l-E;r 

E;ri-tu>r 


(id) 


E;ri-5>  Ai 
E;  Ai  h  T  >  A2 
E;  T  F  T  o  ~S  >  A2 


(Comp) 


P  E;  AT 
s;ri-tn>  a 
E;  AT  h  t"+1  >  A 

E;ri-M:  A[S] 


(Shift) 


S; 


E;T  h  S>  A 
S;Ahi:  Type 
T\-M-aS>  A. A 


(Cons) 


Fig.  2.2.  The  All c-type  system 
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Let  T  =  z:nat .  T:nat  -4  Type .  nat:Type.  We  verify  that 

(2.1)  T  h  ( \x:nat.\f:((T  x)  -4  nat).Xy:{T  x).(/  y)  z) :  ((T  z)  -4  nat)  -4  ((T  z)  -4  naf). 

Reducing  the  (Beta)-redex  and  distributing  the  substitution  inside  the  abstraction,  we  get 

(Xx:nat.Xf:((T  x)  -4  nat).Xy:(T  x).(f  y)  z)  __(Beta)  ^ 

(A/:((T  x)  -4  nat).Xy:(T  x).(f  j/))[x  :=  z  • nat  f°]  -^£- 

A/:((T  z)  -4  nat).((Xy:(T  x).(f  y))[f  :=  /  -(T  x)_>na<  x  :=  z  -„a4  f])- 

We  will  check  that  the  type  in  Eq.  2.1  is  preserved  by  the  reduction. 

Thanks  to  the  rewrite  rule  (Lambda),  the  type  annotation  for  /  in  the  substitution  [/  :=  /  -(Tx)^nat 
x  :=  z  ■ nat  t1]  is  (T  x)  -4  nat ,  that  is,  the  type  of  the  variable  /  before  the  distribution  of  the  substitution 
[x  :=  z  ■ nat  t°]  in  the  abstraction  A f:((T  x)  -4  nat).Xy:(T  x).(f  y). 

The  typing  rules  for  substitutions  install  the  right  context  of  variables.  For  example,  the  expression 
Xy:(T  x).(f  y)  will  be  typed  in  a  context  where  the  variable  declaration  /  :  (T  z)  -4  nat  has  been  replaced 
by  /  :  (T  x)  -4  nat.  In  fact,  we  verify 

(2-2)  /:(T  z)  -4  nat.  T  b  [/  :=  /  -(r  x)->nat  x  :=  z  -nat  t1]  >  f'.(T  x)  -4  nat.  xinat.  T 


(2.3)  f:(T  x)  nat.  x:nat.  T  h  A y:(T  x).(f  y)  :  (T  x)  -4  nat 
hence,  by  rule  (Clos)  applied  to  Eq.  2.2  and  Eq.  2.3: 

(2.4)  f:(T  z)  -4  nat.  F  I-  {Xy:(T  x).(f  y))[f  :=  f  -(T  x)^nat  x  :=  z  -nat  f1]  :  (T  z)  -4  nat 
and  by  rule  (Abs)  applied  to  Eq.  2.4: 


r  h  z )  nat).(Xy:(T  x).(f  y))[f  :=  f  (T  x)^nat  x  :=  z  -nat  t1]  : 

((T  z)  -4  nat )  —>  ((T  z)  -4  nat). 


The  above  example  is  due  to  Geuvers  and  Bloo  [13],  and  it  happens  to  be  a  counter-example  for  subject 
reduction  in  calculi  of  explicit  substitutions  with  dependent  types  where  substitutions  do  not  keep  track  of 
typing  information.  The  use  of  annotated  substitutions  in  AIT^  keeps  the  right  type  when  a  substitution  is 
propagated  under  an  abstraction  or  a  product.  In  fact,  as  we  will  show  below,  subject  reduction  holds  in 

An  c. 

However,  annotated  substitutions  raise  a  technical  problem:  the  An^-rewrite  system  is  not  confluent. 
The  problem  even  exists  if  we  only  consider  local  confluence  on  ground  terms.  In  fact,  the  following  critical 
pair  is  not  joinable  in  the  general  case,  e.g.,  assume  A  and  B  to  be  different  ground  An^-normal  forms- 

(1  'A  T1)  °  {M  -B  S) 


(ShiftO);(IdS). 


J (Map) ;  ( VarCons) ;  (Shift  Cons) ;  (IdS) 


M-bS  M  ■ A  S 

This  problem  is  similar  to  the  one  pointed  out  by  Nederpelt  for  the  A-calculus  extended  with  the  77- 
rule  [36].  In  that  case,  the  confluence  property  holds  on  terms  without  type  annotations  in  abstractions 
(A-calculus  in  the  Curry  style),  but  does  not  on  terms  with  annotated  abstractions  (A-calculus  in  the  Church 
style).  In  [11],  Geuvers  proposes  a  method  to  prove  confluence  for  the  /^-reduction  on  well- typed  A-terms 
written  in  the  Church  style.  In  the  next  section  we  adapt  this  technique  in  order  to  prove  the  confluence 
property  on  well-typed  AH^  expressions. 
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(A a-M  N ) 

— i  M[N  •  t°] 

(Beta) 

(A  a-M)[S] 

— >  XA[S]-M[l-(Sof)] 

(Lambda) 

(n^.s)[5] 

—*  Um.B\l-(Sof)] 

(Pi) 

1  [M  ■  S } 

— >  M 

(VarCons) 

(M  •  S)  o  T 

— ►  M[T]  ■  (S  o  T) 

(Map) 

t"+1  O  (M  ■  S) 

— ►  f"  o  5 

(ShiftCons) 

1-t1 

_ ^  ^0 

(ShiftO) 

l[tn]  ’ 

(ShiftS) 

Fig.  3.1.  Modified  rules  in  the  All  ^-rewrite  system 

3.  Geuvers’  Lemma.  Geuvers’  lemma  is  a  weak  form  of  the  Church-Rosser  property  which  suffices 
to  prove  the  main  typing  properties  in  systems  where  confluence  on  terms  with  type  annotations  — i.e.,  in 
the  Church  style —  is  not  available.  Geuvers’  technique  uses  a  positive  reformulation  of  the  counter-example 
of  non-confluence,  and  the  fact  that  the  underlying  calculus  without  typing  annotations  — i.e.,  in  the  Curry 
style —  is  confluent. 

The  underlying  Curry  style  of  All c  is  called  An?.  In  this  calculus,  substitutions  do  not  have  type 
annotations  (but  abstractions  do  keep  their  type  annotations).  The  set  of  well-formed  terms  in  AII°  are  the 
same  as  in  All £,  but  substitutions  have  the  following  grammar: 

Substitutions  S,  T  fn  |  M  •  S  \  S  o  T. 


As  in  the  case  of  AII^,  only  meta- variables  of  terms  are  enabled  in  An?.  The  AII°-calculus  is  obtained 
by  affecting  the  reduction  system  XUc  as  shown  in  Fig.  3.1.  As  expected,  we  define  the  n?-calculus  as  AII° 
without  rule  (Beta). 

The  positive  reformulation  of  the  confluence  counter-example  in  All  a  states  that  if  two  terms  are  equal 
without  type  annotations,  then  they  are  convertible  via  =\nc- 

Definition  3.1.  The  erasing  mapping  |.|  :  AII^  — >  An?  is  defined  as  follows ; 


\x\  =  x  if  x  €  {1,  Type,  Kind}  or  x  is  a  meta-variable 

\nA.B\  =  H\A\.\b\ 

\\a.B\  =  V|.|M| 

\(MN)\  =  (\M\  |1V|) 

\M[S]\  -  \M\[\S\] 

|  |  __ 

|SoT|  =|5|o|r| 

\M-aS\  =  \M\  ■  |5| 


The  following  are  useful  properties  of  the  erasing  mapping. 

Lemma  3.2  (Erasing  properties).  Let  x  and  y  be  expressions  in  \Hc,  w  be  an  expression  in  An?,  R 

one  of  the  rewrite  systems  All c  or  II c,  and  RD  the  corresponding  rewrite  system  without  type  annotations, 

i.e.,  All?  or  n?,  then 

R  Rn 

1.  ifx - ►  y,  then  |x| - ►  |j/|  or  |z|  =  \y\, 


ll 


2.  if  \x\  - ►  w,  then  there  exists  w'  in  All/;  such  that  x - «-  w'  and  \w'\  =  w,  and 

3.  if  x  is  an  R-normal  form,  then  \x\  is  an  RP -normal  form. 

Proof.  Properties  (1)  and  (2)  are  proved  by  structural  induction  on  x.  Property  (3)  is  a  consequence  of 
(2).  □ 

Lemma  3.3  (Positive  counter-example).  Let  x  and  y  be  expressions  in  All/;,  if  |x|  =  \y\,  then  x  =n£  y, 
and  therefore,  x  =aii,;  y. 

Proof.  Since  |x|  =  |j/|,  x  and  y  have  the  same  principal  constructor.  We  proceed  by  structural  induction 
on  x.  If  x  =  Xa-M,  y  =  Ajg.jV,  and  |x|  =  \y\,  then  by  definition,  A|^|.|M|  =  A|S|.|JV|  and  thus,  }A|  =  \B\ 
and  \M\  —  |JV|.  By  induction  hypothesis,  A  =nc  B  and  M  =nc  N,  and  thus,  \A.M  =n£  XB.N.  In  fact, 
the  only  interesting  case  is  x  =  M  -A  S  and  y  =  N  -BT.  We  get  by  induction  hypothesis: 

(3.1)  M  =Uc  N 


(3.2) 


S  —nc  T 


Since  the  function  |.|  erases  type  annotations  from  substitutions,  we  do  not  have  by  induction  hypothesis 
A  =11,.  B.  However,  by  using  the  counter-example,  we  have 

M  -B  S  iEL  (1  -A  f)  o  (M  -B  S)  M  -A  S. 

We  conclude  with  Eq.  3.1  and  Eq.  3.2  that  x  =  M  *AS  =uc  M  -B  S  ~nc  N  -BT  =  y.  □ 

A  consequence  of  the  reformulation  of  the  counter-example  is  that,  if  we  erase  the  type  annotations  of 
a  term  M  and  then  annotate  it  again  with  an  arbitrary  term,  we  get  a  term  N  which  is  equivalent  to  M 
modulo  =An£  • 

Definition  3.4.  Let  A  be  a  term  in  \Uc,  the  annotation  mapping  (.)—  :  An°  -»  All c  is  defined  as 
follows: 


x—  =  x  if  x  €  {1,  Type,  Kind}  or  x  is  a  meta- variable 

(HBl.H2)A  =  n  b±.b$ 

(Xb.M)—  =  \BA.M± 

(M  N)±  =  (M—  N±) 

(M[S])±  =  M±[S±] 

(S  O  T)~  =  5— o  TA 


(M  *  S)~  =  M±-AS± 


Lemma  3.5  (Erasing  inverse).  Let  x  be  an  expression  in  All  c  and  A  be  a  term  in  A  He,  x  =An£  • 
Proof  It  is  not  difficult  to  show  that  if  w  is  an  expression  in  AII°,  then  w  =  \w—\.  Let  w  =  \x\,  by 
Lemma  3.3,  x  ~\uc  \x\~ .  □ 

We  use  the  next  lemma  in  the  proof  of  Geuvers’  lemma. 

aiid 

Lemma  3.6.  Let  x  and  y  be  expressions  in  AII°  and  A  be  a  term  in  All c,  if  x  — £>  y,  then  x~  =An£  V~- 
* 

Therefore ,  if  x  — ^  y,  then  x —  =An£ 

Proof  By  induction  on  the  depth  of  the  All^-redex  reduced  in  x.  0 

The  proof  of  Geuvers’  lemma  uses  a  confluence  property  on  the  calculus  without  type  annotations.  We 
left  the  proof  of  that  property  (confluence  of  AII^)  for  the  last  part  of  this  section. 
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Theorem  3.7  (Confluence  of  AII°).  The  All  ^-calculus  is  confluent. 

Theorem  3.8  (Geuvers’  lemma).  Let  A2,B2,  M,N  be  terms  in  All/; , 

1.  ifHAl.Bi  =An£  11^2.52,  then  Ax  =Anc  M  and.  5i  =An£  B2,  and  ^  __ 

2.  if  M  N,  where  N  is  a  All c -normal  form,  then  there  exists  M'  in  AIIc  such  that  M - *  M' 

and  \M'\  =  |AT|. 

Proof.  We  show  only  the  first  case.  The  second  case  is  similar.  By  Lemma  3.2(1)  and  the  definition  of 
|.|,  we  have  =An°  n^2|.|52|.  Since  All?  is  confluent  (Theorem  3.7),  there  exists  M  in  AITg  such 

that  IIm  i.IBiI  — ^  M  and  IL,42|.|62|  — ^  M.  But  there  is  no  All^-redex  with  a  product  as  the  main 
1  \u°  *  xnD  *  aiid  *  An°  * 

constructor,  so  M  has  the  form  11,1.5  where  |Ai|  — A,  |5j |  — 5,  \A2\  — A,  and  |52|  B. 

By  Lemma  3.5  and  Lemma  3.6,  for  any  AII/;-term  N,  A\  =An£  |^4i|—  =An£  A— ,  Bi  =An£  |5i|—  =An£  5—, 

yl2  =xn£  |-A2|—  =Anc  A—,  and  52  =An£  |52|^=An£  5^.  Therefore,  Ax  =Xnc  M  and  5i  =An£  52.  0 

The  rest  of  this  section  addresses  the  proof  of  confluence  of  the  AII°-calculus  (Theorem  3.7). 

First,  we  prove  that  the  Ilg-calculus  — ATIg  without  (Beta)—  is  terminating  and  confluent. 

Lemma  3.9  (Termination  of  11°).  11°  is  a  terminating  rewrite  system. 

Proof.  Since  any  reduction  in  11°  can  be  properly  simulated  in  II/  (Lemma  3.2(2)),  any  infinite  reduction 
in  11°  corresponds  to  some  infinite  reduction  in  lie-  But  lie  is  terminating  (Lemma  2.1),  thus  11°  is 
terminating.  □ 

Lemma  3.10  (Confluence  of  11°).  The  TL^-calculus  is  confluent. 

Proof.  We  mechanically  check,  e.g.,  by  using  the  RRL  system  [23],  that  the  Ilg-rewrite  system  has  the 
following  critical  pairs: 

•  (Id)-(Clos) 

M[S }  ~  M[S] [t°]  ^  M[Sof] 

•  (Clos)-(Clos) 

M[(Si  oS2)  oT]  HI  M[5i][52][T]  HI  M[S1o(S2oT)} 

•  (ShiftO)-(Map) 

5  Hi  (X.f)oS  -H.  l[S]-ifoS) 

•  (Shifts)- (Map) 

f"o5  -H-  (l[tn]  -t”+1)  oS  HI  l[|n  o  5]  •  (t”+1  °  S) 

•  (Lambda)-(Clos)  and  (Pi)-(Clos)  . 

Let  Si  =  I  •  ((5  o  f)  o  (1  •  (T  o  f)))  and  S2  =  1  •  ((5  o  T)  o  f), 

Xa[SoT]-M[Si}  HI  (A/i. M)[5][T]  HI  \a[SoT].M[S2] 
nA[SOT)-B[Si]  HI  (n A.B)[S}[T]  HI  nA[SoT].B[s2] 

These  critical  pairs  are  II°-joinable  (we  recall  that  only  meta- variables  of  terms  are  admitted).  Using 
an  extension  to  the  Critical  Pair  lemma  proposed  in  [33]  (based  on  similar  extensions  originally  presented  in 


13 


Fig.  3.2.  The  parallelization  of  (Beta) 


[22,  40]),  we  conclude  that  11°  is  locally  confluent.  Therefore,  by  Newman’s  lemma  and  Lemma  3.9,  11°  is 
confluent.  □ 

The  confluence  proof  of  the  An° -calculus  uses  a  general  method  proposed  in  [45]  to  prove  confluence  of 
abstract  relations:  the  Yokouchi-Hikita’s  lemma.  This  method  shows  to  be  suitable  for  left-linear  calculi  of 
explicit  substitutions  [7,  37,  33]. 

Lemma  3.11  (Yokouchi-Hikita’s  lemma).  Let  R  and  S  be  two  relations  defined  on  a  set  X  such  that:  1) 
R  is  confluent  and  terminating,  2)  S  is  strongly  confluent,  and  3)  S  and  R  commute  in  the  following  way: 

for  any  x,y,z  €  X ,  if  x  — — ►  y  and  x - ►  then  there  exists  w  €  X  such  that  y - ►  w  and  z - ►  w. 

Then  the  relation  R*SR *  is  confluent. 

Proof  See  [7].  □ 

We  take  the  set  of  All^-expressions  as  X,  11^  as  R  and  B\\  as  S',  where  B\\  is  the  parallelization  of  (Beta) 
defined  in  Fig.  3.2. 

Lemma  3.12.  11°  commutes  over  B y,  le.,  if  x  reduces  in  one  U^-step  to  y,  and  in  one  Bu-step  to  z, 

un*B  j-jtd *  nD* 

then  there  exists  w  such  that  y  — — — -•»  w  and  z  — ^  w. 

Proof  By  case  analysis  on  the  redex  reduced  in  x.  □ 

We  are  now  ready  to  prove  the  confluence  property  of  AII° . 

Theorem  3.7.  The  An° -calculus  is  confluent. 

Proof  We  verify  that  11^  and  B\\  satisfy  the  conditions  of  Yokouchi-Hikita’s  lemma,  that  is, 

1.  n°  is  terminating  and  confluent  (Lemma  3.9  and  Lemma  3.10), 

2.  B\ |  is  strongly  confluent,  since  (Beta)  by  itself  is  a  left  linear  system  with  no  critical  pairs  (c.f.  [19]), 
and 


3.  n°  commutes  over  B\\  (Lemma  3.12). 
Therefore,  n£*I?||n°*  is  confluent. 


Note  that  An°  C  B^U^*  C  An°*.  Let  x  be  an  expression  in  An°.  If : 


there  exists  w  such  that  y 


*B\\nrr 


y  and  x 


w  and  2 


T  c  An^ 
►  w.  bo,  y  — - 


w  and  2 


4.  Elementary  Typing  Properties.  The  elementary  typing  properties  of  All/:  are 

•  Sort  soundness :  the  type  of  a  term  is  a  valid  sort. 

•  Type  uniqueness :  the  type  of  a  term  is  unique  module  =xxic  • 

•  Subject  reduction :  the  An^^ -rewrite  system  preserves  typing. 
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•  Soundness :  there  always  exists  a  path  of  well-typed  terms  between  equivalent  well-typed  terms. 

We  use  Geuvers’  lemma  to  prove  the  last  two  of  the  above  properties. 

Theorem  4.1  (Sort  soundness). 

1.  If  E;  T  b  M  :  A ,  then  A  =  Kind  or  E;  F  b  A  :  s,  s  6  {iftnd,  Type},  and 

2.  if  E;ThSt>  A  ttcnE;  A. 

Proo/.  By  induction  on  the  typing  derivation.  □ 

Theorem  4.2  (Type  uniqueness).  Ti  and  F2  be  such  that  =An£  r2, 

1.  if  i  \~  M  :  A  and  E;r2  b  M  :  B,  then  A  =\n c  B,  and 

2.  if  E;Ti  b  S  >  Ax  and  T>;F2  b  5  >  A2,  then  Ax  ^aRc  A2. 

Proof  By  simultaneous  structural  induction  on  M  and  5.  □ 

Theorem  4.3  (Subject  reduction).  The  XUc-calculus  preserves  typing ,  if  x  y ,  for  an  expression 
x,  then 

1.  if  x  is  a  term  and  E;  T  b  x  :  A,  then  E;  T  b  y  :  A,  and 

2.  if  x  is  a  substitution  and  E;  T  b  x  >  A,  then  E;  T  b  y  >  A. 

Proof.  We  show  that  typing  is  preserved  for  one-step  reductions  (i.e.,  XUc+  ),  and  therefore,  it  is  also 
for  the  reflexive  and  transitive  closure  (i.e.,  — ^  ).  Let  x  — i  y  be  a  one-step  reduction.  We  proceed  by 
induction  on  the  depth  of  the  redex  reduced  in  x. 

In  the  initial  case,  x  is  reduced  at  the  top  level,  and  we  proceed  by  case  analysis.  We  show  the  case  of 
rule  (Beta): 

Let  E;  T  h  (A AM  N)  :  B.  We  show  E;  V  b  M[N  -A  t°]  :  B. 

We  have: 

1.  (a)  E;T  b  A AM  :  FlAl.Bu  (b)  E;ThiV:  Au  and  (c)  B  =Xnc  BX[N  -Al  t°],  by  inversion  of  rule 
(Appl)  applied  to  the  hypothesis. 

2.  (a)  E;T  b  A  :  Type ,  (b)  E;AT  b  M  :  B2,  (c)  E;  AT  b  B2  :  52,  52  G  {tfmd,  Type},  and  (d) 
Ha  B2  =An£  TLAl.Bu  by  inversion  of  rule  (Abs)  applied  to  (1-a). 

3.  (a)  A  =xnc  Ax  and  (b)  B2  =\uc  &u  by  Geuvers’  lemma  (Theorem  3.8)  applied  to  (2-d). 

4.  E;  T  b  N  :  A,  by  rule  (Conv)  applied  to  (1-b),  (2-a),  and  (3-a). 

5.  E;  T  b  N  ^  t°  >  AT,  by  rule  (Cons)  applied  to  (4),  (2-a),  and  E;  F  b  t°  >  T. 

6.  P2[iV  -a  t°]  =An£  BX[N  -a  t°]  =\nc  Bi[N  ‘A\  t°]  =\nc  by  (1-c)  and  (3). 

7.  E;T  b  B  :  $1,  $1  €  {iftnd,  Type},  by  sort  soundness  (Theorem  4.1)  applied  to  the  hypothesis.  Note 
that  the  case  s  =  Kind  is  not  possible. 

Therefore,  we  have  the  derivation 

E;  AT  b  M  :  P2  (2-b) 

E;  AT  b  B2  :  s2  (2-c) 

E;  T  b  N  ^  t°  >  AT  (5) 

S;r  h  M[JV  Mt°]:^2  [TV  -At0]  °S  (6)  (7)  (Cony) 

E;T  b  M[N  *A  t°]  :  B 

The  other  cases  are  similar.  The  induction  step  cases  do  not  present  any  difficulty.  □ 
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Sometimes  the  conversion  rule  (Conv)  is  expressed  as  [14]: 


T\-  M  :A 
ThB:s 
s  €  {Kind,  Type} 

A - ►  B  or  B - • 

r  F  M  :  B 


A 


(Conv’) 


Rule  (Conv)  seems  to  be  more  general  than  rule  (Conv’).  In  fact,  the  latter  one  allows  conversions  of 
types  only  via  a  path  of  well-typed  terms.  Geuvers  and  Werner  [14]  define  a  type  system  to  be  sound  if  the 
convertibility  of  terms  remains  in  the  set  of  well-typed  terms.  In  sound  systems,  rules  (Conv)  and  (Conv’) 
are  equivalent. 

We  use  the  following  lemma  in  the  soundness  proof  of  the  AIl£-system. 

Lemma  4.4.  Let  x, y  be  All c-expressions  in  II c-normal  form  such  that  |*|  =  \y\,  ifx  and  y  are  well-typed 
expressions,  then  they  are  convertible  via  a  path  of  well-typed  expressions. 

Proof.  By  structural  induction  on  x  and  y.  □ 

Theorem  4.5  (Soundness).  If  S;T  b  M  :  A,  h  N  :  B  and  M  =XUc  N,  then  M  and  N  are. 
convertible  via  a  path  of  well-typed  terms. 

Proof.  From  Lemma  3.2(1),  we  have  |M|  =  a  1 1 r.  W\-  The  confluence  property  of  All?  states  that  there 

aii°  *  Ann  * 

exists  x  €  An°  such  that  |M|  — £*•  x  and  |JV|  — x.  By  Lemma  3.2(2),  there  exist  M1,N1  in  AI1£ 

such  that  M  — Mi,  N  — £-*■  N\,  and  |Mi|  =  |JVi|  =  x.  Since  II^  is  terminating  (Lemma  2.1),  there 

exist  M2,N2  11  £ -normal  forms  such  that  M\  — — -*•  M2,  A\  — r—*  N2.  By  the  subject  reduction  property 

(Theorem  4.3),  E;  T  h  M2  :  A  and  E :  T  b  ,\'2  : 1? .  and  all  the  terms  in  both  reductions  are  well-typed. 

nD*  nD  * 

Now,  from  Lemma  3.2(1),  we  have  x  — |M2|  and  x  — |AT2|.  But  M2  and  N2  are  Il£-normal 
forms,  thus,  by  Lemma  3.2(3),  |M2|  and  |2V^|  are  II°-normal  forms.  Since  is  confluent,  |M2|  =  |JV2|.  By 
Lemma  4.4,  M2  and  N2  are  convertible  via  a  path  of  well-typed  terms.  Therefore,  M  and  N  are  convertible 
via  a  path  of  well-typed  terms.  □ 

A  direct  consequence  of  typing  soundness  and  subject  reduction  is  the  following  property. 

Lemma  4.6.  If  E;T  b  Mi  :  A\,  S; F  I—  M2  :  A2,  and  M\  =\nc  M2,  then  A\  =An£  A2. 

Proof.  By  induction  on  the  length  of  the  paths  of  well- typed  expressions  converting  Mi  to  M2.  □ 

5.  The  Main  Properties:  Weak  Normalization  and  Confluence.  In  this  section  we  address  the 
proof  of  the  main  properties  of  AIl£  on  well-typed  expressions:  weak  normalization  and  confluence. 

5.1.  Weak  normalization.  The  AIl£-calculus  does  not  preserve  strong  normalization  of  All.  In  fact, 
the  counterexample  shown  in  [30]  for  A o  may  be  reproduced  in  AIl£  with  some  minor  modifications. 

Nevertheless,  we  prove  that  AIl£  is  weakly  normalizing  on  well- typed  expressions,  i.e.,  there  exists  a 
strategy  to  find  AIl£-normal  forms  on  well-typed  expressions.  In  particular,  we  propose  a  proof  of  strong 
normalization  of  the  strategy  that  performs  one  step  of  (Beta)  followed  by  a  ^-normalization. 

We  use  the  standard  technique  of  reducibility,  originally  due  to  Tait  for  the  simply-typed  A-calculus 
[42],  and  then  extended  by  Girard  to  the  system  F  (the  A-calculus  of  second-order)  [15].  From  the  diverse 
proofs  of  termination  using  a  reducibility  notion,  we  follow  the  presentation  given  in  [12]  for  the  Calculus  of 
Constructions,  which  is  based  on  saturated  sets.  We  adapt  this  proof  for  the  AIl£-calculus.  In  order  to  avoid 
some  technical  problems  due  to  the  non-confluence  of  the  calculus  with  type  annotations  (not  necessarily 
well- typed),  we  define  saturated  sets  in  a  slightly  different  way.  However,  the  structure  of  the  proofs  is  the 
same. 
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We  use  (ar)^n£  as  a  shorthand  for  the  set  of  Il^-normal  forms  of  x.  The  set  containing  all  the  Il^-normal 
forms  of  XUC  is  denoted  by  A f(F. 

(3U  c  (Beta) 

Definition  5.1.  Let  x,y  £  AfT,  we  say  that  x  /?Il£-reduces  to  y ,  denoted  by  x - ►  y,  if  x - ►  w 

and  y  £  (w)| n£  •  Notice  that  the  set  of  /?Il£-normal  forms  is  equal  to  the  set  of  All^-normal  forms,  and 
that  x  y  implies  x  A”£  ►  y.  In  fact,  we  will  show  that  /3UC  is  strongly  normalizing  on  well-typed 
expressions,  and  therefore,  All/;  is  weakly  normalizing  on  well-typed  expressions. 

We  denote  by  SN  the  set  of  /Jll^-strongly  normalizing  expressions  of  NT. 

Definition  5.2.  Let  M  be  a  term  in  NT.  The  term  M  is  neutral  if  it  does  not  have  the  form  A a-N. 
The  set  of  neutral  terms  is  denoted  by  NT- 

Definition  5.3.  Let  x  be  in  NT.  The  set  of  annotations  of  x,  denoted  by  N(a;),  is  defined  inductively 
as  follows: 

N(x)  =  0  if  x  €  {Kind,  Type,  1}  or  x  =f"  or  x  is  a  meta-variable 

K(n^.5)  =  N(A)UN(J3) 

N(A  a.M)  =  K(A)UN(M) 

N(M  N)  =  N(M)U  K(1V) 

K(M[S])  =  N(M)UN(S) 

H(5  o  T)  =  N(S)UN(T) 

K(M  -a  S)  =  {A}UN(M)UN(S) 


Definition  5.4.  A  set  of  terms  A  C  NT  is  saturated  if 

1.  AC  SN, 

2.  if  M  €  A  and  M  N,  then  N  €  A, 

3.  if  M  £  AfT,  and  whenever  the  reduction  of  a  f3Hc-redex  of  M  leads  to  a  term  N  £  A,  then  M  £  A, 
and 

4.  ifM£  A,  \M\  =  \N\,  and  K(N)  C  SAT,  then  N  £  A. 

The  set  of  saturated  sets  is  denoted  by  SAT. 

The  following  corollary  is  a  trivial  consequence  of  Def.  5.4(3). 

Corollary  5.5.  Let  M  £  AfT  such  that  M  is  a  f3Uc -normal  form,  for  any  A  £  SAT,  M  £  A. 

The  following  lemmas  show  particular  cases  of  terms  that  are  in  saturated  sets. 

Lemma  5.6.  For  any  A  £  SAT,  substitution  S  £  SAf,  and  meta-variable  X ,  we  have  (X[S])|n£  C  A. 
Proof  Let  A  £  SAT  and  M  £  (X[S])4,n£ .  Since  M  is  neutral  it  suffices  to  consider  the  reductions  of  M 
(Def.  5.4(3)).  We  reason  by  induction  on  v(S)s.  Only  two  reductions  are  possible: 

•  M  X ,  and  by  Corollary  5.5,  X  £  A. 

•  M  X[T]  where  S  T.  By  hypothesis,  T  £  SAf ,  and  v{S)  >  v{T ),  so  by  induction 

hypothesis,  (X[T])lnc  C  A. 

In  both  cases,  M  reduces  to  terms  in  A,  thus,  M  £  A.  □ 

Lemma  5.7.  For  any  A  £  SAT,  and  terms  A,B  £  SAf,  U a-B  £  A. 

Proof  The  term  II A  B  is  neutral.  By  Def.  5.4(3)  it  suffices  to  consider  the  reductions  of  UAB.  We 
reason  by  induction  on  v{A)  4- 1 '(B).  □ 

Lemma  5.8.  SAf  £  SAT. 

Proof  We  verify  the  following  conditions  (Def.  5.4). 

3  “If  x  is  strongly  normalizing,  v(x)  is  a  number  which  bounds  the  length  of  every  normalization  sequence  beginning  with 
xn  [16]. 
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1.  SAf  C  SAf. 

2.  If  M  €  SAT  and  M  —  AT,  then  JV  €  SAf. 

3.  If  M  £  AfT,  and  whenever  the  reduction  of  a  /311^-redex  of  M  leads  to  a  term  N  £  SAf,  then 
M  £  SAf. 

4.  If  M  £  SAf,  |M|  =  \N\,  and  N(iV)  C  SAf,  then  N  £  SAf. 

Definition  5.9.  If  A,  A'  €  SAT,  we  define  the  set 

A  -»  A'  =  {M  £  AfT  |  VAT  £  A,  (M  N)  £  A'}. 


Lemma  5.10.  SAT  is  closed  under  function  spaces,  i.e.,  if  A,  A'  £  SAT,  then  A  A'  £  SAT. 

Proof  We  verify  the  conditions  in  Def.  5.4: 

1.  A  -t  A'  C  SAf  : 

Let  M  be  in  A  A'.  By  Def.  5.9  and  Def.  5.4(1),  (M  N)  £  A'  C  SAf  for  all  N  £  A.  Thus,  M  £  SAf. 

2.  If  M  £  A  ->■  A'  and  M  N,  then  N  £  A  A'. 

Let  A’i  be  in  A.  We  show  that  (N  N\)  £  A'.  By  hypothesis,  (M  Nfi)  £  A'  and  (M  Ni)  — *■  (AT  Ni). 
Thus,  (N  £  A'  by  Def.  5.4(2). 

3-  If  M  £  AfT,  and  whenever  the  reduction  of  a  /ffl^-redex  of  M  leads  to  a  term  N  £  A  -»  A',  then 
M  £  A  -i  A'. 

Let  Ari  be  in  A,  we  show  that  (M  N\)  £  A' .  Since  ( M  Ni)  £  AfT,  it  suffices  by  Def.  5.4(3)  to  prove 
that  if  (M  A’i )  — -A-  N%,  then  AA  £  A'.  We  have  N\  £  A  C  SAf.  We  reason  by  induction  on  v(Ni). 
Since  M  £  AfT,  ( M  Ni)  /introduces  in  one  step  to 

•  (Mi  Ni),  with  M  Mi.  By  hypotheses,  Mi  €  A  ->  A'  and  Nx  £  A,  thus  (Mi  Nx)  £  A'. 

•  (M  N-2 ) ,  with  Ni  — -  f*  N‘2 .  By  Def.  5.4(2),  AA  £  A  and  u(N^)  <  //(A’j ) .  thus,  by  induction 
hypothesis,  (M  W2)  €  A'. 

In  both  cases,  (M  ATi)  reduces  to  terms  in  A'.  Hence,  (M  Ni)  £  A' 

4.  If  M  £  A  ->  A',  |M|  =  |JV|,  and  K(A^)  C  <SM,  then  N  £  A  A'. 

Let  ATi  be  in  A.  We  show  that  ( N  A/))  £  A'.  By  hypothesis,  (M  A7i)  e  A',  but  also,  |(M  ATi)|  = 
|(AT  Ni)\.  By  Def.  5.4(4),  it  suffices  to  show  that  H(AT  Ari)  C  SAf.  Since  Ni  £  A  C  SAf,  we  have 
K{Ni)  C  SAf.  Therefore,  N(7 V  ATi)  =  N(Af)  U  K(ATj)  C 

The  next  step  in  the  proof  is  the  interpretation  of  types. 

Definition  5.11.  The  type  interpretation  function  of  terms  in  An£  is  defined  inductively  as  follows: 

[®]  =  SAf  if  x  £  {Kind,  Type,  1}  or  x  is  a  meta-variable 

[M[5J]  =  [M] 

[(MAT)]  =  [M] 

[A^.B]  =  [B] 

[n.4  -BJ  =  [A]  — >  [B] 

We  have  the  following  corollary  of  Lemma  5.10. 

Corollary  5.12.  For  any  term  M,  [M]  £  SAT. 

Lists  of  types,  i.e.,  contexts,  are  interpreted  by  a  set  of  explicit  substitutions. 
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Definition  5.13.  The  valuations  of  T,  denoted  by  [r],  is  a  set  of  substitutions  in  NT  defined 
inductively  on  T  as  follows: 

[e]  =  {tn  I  for  anV  natural  n} 

[A.  A}  =  [ejU{M^S£NT\MelBlSelAlBeSN,[Ai:=lB}} 

Lemma  5.14.  For  any  T,  [T]  C  SN. 

Proof  We  show  by  structural  induction  on  S  that  if  S  G  [F] ,  then  S  G  SN.  □ 

Definition  5.15.  Let  M  be  a  term  in  NT  and  S  be  a  substitution  in  NT.  We  define 

1.  T  satisfies  that  M  is  of  type  A ,  denoted  by  T  \=  M  :  A,  if  and  only  if  {M[T])lUc  G  {A}  for  any 

r  g  [r]. 

2.  r  satisfies  that  S  is  of  type  A,  denoted  by  T  \=  S  >  A,  if  and  only  if  (5  o  T)lUc  C  [A]  for  any 

TG[rj. 

We  are  almost  ready  to  prove  the  key  property  which  leads  to  the  strong  normalization  property  of  (3Uc. 
It  states  that  if  T  f=  M  :  A,  then  T  \~  M  :  A.  Before  that,  we  need  some  more  technical  lemmas. 

Lemma  5.16.  Let  A  be  a  term  in  SN.  For  all  substitutions  S  G  [r]  and  term  M  G  [ A .],  (M  -a  S){.Uc  C 
{AT}. 

Proof  Note  that  M  -a  S  is  not  necessarily  in  NT.  But  there  are  two  cases:  (M  • a  £)ln£  =  {M  -a  S} 
or  (M  • a  S){,Uc  =  {tn}-  In  both  cases  we  verify  that  (M  S)lUjC  Q  {AT}.  □ 

Lemma  5.17.  Let  M  a  term  in  NT ,  if  S;  T  h  M  :  A  and  S;  T  h  A  :  Type ,  then  [M]  =  SN . 

Proof  By  structural  induction  on  M.  We  show  the  case  where  M  =  (M\  M2),  the  other  cases  are 

similar.  We  have: 

1.  (a)  s;r  h  Ml  :  UAl.Bi,  (b)  b  (Mx  M2)  :  Bi[M2  -Al  t°],  and  (c)  A  =An£  BX[M2  m,  t°],  by 
inversion  of  rule  (Appl)  applied  to  the  hypothesis. 

2.  (a)  h  Ax  :  Type  and  (b)  E;  AX.T  h  Bi  :  su  «i  €  {Kind,  Type},  by  inversion  of  rule  (Prod) 
applied  to  (1-a). 

3.  E;T  h  Bi[M2  •a1  t°]  :  s2?  s2  E  {Kind,  Type},  by  sort  soundness  (Theorem  4.1)  applied  to  (1-b). 

4.  S2  =xuc  Type,  by  Lemma  4.6  applied  to  E;T  b  A  :  Type,  (1-c),  and  (3). 

5.  52  =  Type,  by  Geuvers’  lemma  (Theorem  3.8)  applied  to  (4). 

6.  5i  =  Type,  by  (2-b),  (3),  and  (5). 

Then,  applying  rule  (Prod)  to  (2)  and  (6),  we  get  E;T  h  Ua1.Bi  :  Type.  By  Def.  5.11  and  induction 
hypothesis,  [(Mi  M2)]  =  [Mi]  =  SN.  □ 

Lemma  5.18.  Let  M  be  a  term  in  NT  and  S  a  substitution  in  NT, 

1.  «/  E;T  b  M  :  A  and  E;T  b  M  :  B,  then  [A]  =  [BJ,  and 

2.  if  E;T  b  S  >  Ai  and  E;Tb5>  A2,  then{  Ax]  =  [A2]. 

Proof.  We  only  show  the  first  case.  The  second  case  is  proved  by  structural  induction  on  Ai.  By  type 
uniqueness  (Theorem  4.2),  we  have  A  =An£  B ,  and  by  sort  soundness  (Theorem  4.1),  A  =  B  —  Kind  or 

(E;T  b  A  :  sx,  E;T  b  B  :  s2,  and  si,s2  G  {Kind,  Type}).  The  first  case  is  trivial.  For  the  second  one,  we  use 

soundness  of  Xlic  (Theorem  4.5)  to  conclude  that  A  and  B  are  convertible  via  a  path  of  well- typed  terms. 
Hence,  it  suffices  to  prove  that  for  any  well-typed  term  Ni,  if  N\  —  ■  N2,  then  [iVi]  =  [N2 ].  We  prove 

this  by  induction  on  the  depth  of  the  /jn^-redex  reduced  in  N\.  The  only  interesting  case  is  (VarCons),  i.e., 
l[Mi  S] - -  Mi.  We  show  that  [l[Mi  -Ay  S}j  =  [Mi]. 

•  From  Def.  5.11,  [l[Mi  • ax  5]]  =  [1]  =  SN. 
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•  If  l[Mi  -a,  5]  is  well-typed  in  E;  T,  then  by  inversion  of  rule  (Cons),  we  have  E;  T  b  Mx  :  Ai[S]  and 
E:  r  h  [5]  :  Type.  Therefore,  by  Lemma  5.17,  [MiJ  =  SAf. 

So,  [1  [Mi  -4l  S]]  =  [MJ  =  SAf.  □ 

Lemma  5.19.  Let  Ax  £  SAT,  and  M,A2,B  £  AfT,  if  for  all  N  £  [A2],  ( M[N  -Al  t°])ln£  C  [BJ,  then 
Aai-M  £  [A2]  — >  [BJ . 

Proof.  Let  N  £  [A2J.  We  want  to  show  (A Al.M  N)  £  [5].  Since  (A Al.M  N )  £  AfT  and  [BJ  C  SAT, 
it  suffices  to  prove  that  if  (A Al.M  N)  M' ,  then  M'  £  [BJ.  By  hypotheses,  for  all  N  £  [A2J, 

(M[N-Al  t°]Hn£  Q  [BJ  C  SAf ;  in  particular,  (M[l  44l  t°])4-n£  C  SAf.  But,  M  £  (M[ 1-Al  t°])4-n£.  and 
thus,  M  £  SAf.  We  also  have  N  £  [A2J  C  SAf  and  Ai  £  SAf.  Thus,  we  can  reason  by  induction  on 
v(M)  +  v(N)  +  v{Ai).  In  one  step  (A^,  .M  N)  ^n^-reduces  to: 

•  ( M[N  -Al  t°])ln£ •  By  hypothesis,  (M[N -Al  T°])4'njC  C  [BJ. 

•  {XAl.M  iVi),  with  N  — *■  Ni.  By  Def.  5.4(2),  ATi  €  [A2J,  then  by  hypothesis,  (M[iVi  -Al  t°])4-n£  ^ 
[BJ-  But  also,  v(Ni)  <  v(N),  thus,  by  induction  hypothesis,  (XAl.M  Ni)  £  [BJ. 

•  ( XA.M  N),  with  Ai  —  c*  A.  But  A  £  SAf,  since  Ai  £  SAf,  therefore,  for  any  Mi  £  (M[N  -A  t°])ln£  > 
K(M0  C  SAf.  We  have,  \(M[N  ■ Al  t®])|nJ  =  | (M[N  ■ A  t°]Hn£l4-  By  Def.  5.4(4),  (M[N  ■  A  f])^  C 
[BJ.  But  also  v{A)  <  v{A\),  thus,  by  induction  hypothesis,  (A A.M  N )  £  [B]. 

•  (XAl.Mi  N),  with  M  Mi.  Using  the  properties  of  All/;  and  AII°,  if  Ni  £  ( M[N  -Al  T°])4-n£- , 
then  Ni  ^  N2,  where  |iV2|  =  \(Mi[N -Al  t°])Ln£l-  By  hypothesis,  Ni  £  [B],  thus,  by  Def.  5.4(2), 
N2  £  [B],  Since  Mi  and  Ax  are  in  SAf,  for  any  M2  £  (Mi [AT  -Al  t°])ln£,  N(M2)  C  SAf.  We  obtain 
(Mi [N  •>!,  T°])4-n£  Q  [BJ  by  Def.  5.4(4).  But  also  v(Mi)  <  v{M),  thus,  by  induction  hypothesis, 
{XAl.Mi  N)  £  [BJ. 

In  any  case,  (A Al.M  N)  reduces  to  a  term  in  [B]  and,  therefore,  (XAl.M  N)  £  [B],  □ 

We  are  ready  to  prove  the  key  lemma,  the  soundness  of  |=  with  respect  to  k 
Lemma  5.20  (Soundness  of  f=).  Let  M,S  £  NT, 

1.  if  £;  r  h  M  :  A,  then  T  \=  M  :  A,  and 

2.  i/S;rhS>A?  then  V  \=  S  >  A. 

Proof.  Let  T  £  [T] .  We  proceed  by  simultaneous  structural  induction  on  M  and  S.  We  show  the  main 
cases.  In  the  proof,  f|^(S)  is  a  shorthand  for  1  m  (S  o  t1). 

•  M  =  X  (X  is  a  meta- variable).  We  show  that  ( X[T])lUc  C  [A]. 

There  are  two  cases: 

—  T  =t°*  Therefore,  (A'fT]^^  =  {X}.  But  also,  X  is  a  neutral  /3Il£-normal  form.  Hence  by 
Corollary  5.5,  X  £  {A}. 

-  T  Therefore,  (X[T])|n£  =  { X[T ]}.  By  Lemma  5.14,  T  £  SN.  Hence  by  Lemma  5.6, 
X[T]£{AI 

•  M  =  n a1B1.  We  show  that  (n a1-Bi[T])1Uc  C  {A]. 

By  inversion  of  rule  (Prod),  S;T  h  ^  :  Type  and  \~  Bi  :  s,  s  £  {Kind,  Type}.  Note  that  if 

Mi  G  (Cn-A1-Bi)[T])iUc,  then  M±  =  Ua2.B2 ,  where  A2  E  (^i[T])|n£  and  B2  £  (^i^, (T)])|n£. 
By  induction  hypothesis  on  Au  (A^Tx])^  C  {Type}  =  SN  holds  for  all  Tx  £  [T].  Assuming 
Ti  =  T,  we  conclude  A2  £  SN,  and  assuming  T\  =t°,  we  conclude  Ai  £  SN. 

Let  T2  £  (fryi^T))^^-  We  have  \B2\  —  \(Bi[T2])lUc  |  and  T2  £  [AT].  By  induction  hypothesis  on 
Bu  (Bi [T2])lUc  C  [s]  =  SN  holds.  But,  X(B2)  C  SN.  Hence  by  Def.  5.4(4),  B2  E  [sj  =  SN. 

4 Since  the  n°-calculus  (II^  without  annotations  of  types  in  substitutions)  is  confluent  (Lemma  3.10),  we  use  the  following 
property:  for  any  Mi,  M2  E  {M)iUc ,  |Mi|  =  |M2|. 
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Since  A2,B2  are  both  in  SAf,  we  have  Ua2  -B2  €  [A]  (Lemma  5.7). 

•  M  =  AAl .Mi.  We  show  that  (AA1.Mi[T])hn£  Q  [A[. 

By  inversion  of  rule  (Abs),  h  A  :  Type,  £;Ai.r  h  Mi  :  B  and  S;T  h  Aa1-M\  :  T\.a1-B. 
By  Lemma  5.18,  [A]  =  [11,4,  .B]  =  [Ai]  H>  [B].  Note  that  if  N  €  ((A^i,  .Mi)[T])4-n£ ,  then 
N  =  A a2-M2,  where  A2  e  (Ai[T])4-n£  and  M2  €  (Mi[frA,(r)])4-n£-  By  induction  hypothesis  on  Ai, 
(Ai[Ti])4.n£  C  [Type]  =  SAf  holds  for  all  T,  e  [r].  Assuming  Ti  =  T,  we  conclude  A2  e  SAf,  and 
assuming  T\  we  conclude  Aj  €  SAf. 

Now  we  prove  that  A.42.M2  €  [Ai]  ->  [B],  From  Lemma  5.19,  it  suffices  to  prove  that  for  any  Nx  e 
[AJ,  (M2[ATi  -a2  t°])4-n£  C  [B].  Let  N2  €  (M2[JVi  -a2  t°])ln£  and  T2  €  (itAl(T)  °  (Ni  'M  t°))4-nc- 
We  verify  that  |JV2|  =  |(Mi[T2]),|.nJ  and  T2  €  [Ai A] .  Therefore,  by  induction  hypothesis  on  Mu 
(Mi[T2])|n£  C  [B].  But  N(AT2)  C  SAf,  thus,  JV2  e  [B]  by  Def.  5.4(4). 

□ 

Now,  we  show  that  f3Uc  is  strongly  normalizing. 

Lemma  5.21  (Strong  normalization  of  /3Uc)-  Let  M  be  a  term  in  NT  and  S  be  a  substitution  in  NT. 

1.  If  then  M  G  SN,  and 

2.  if  E;T  b  S  >  A,  then  S  G  SN. 

Proof.  By  Def.  5.13,  fe  [T]. 

1.  By  Lemma  5.20,  M  G  (M[ t°])-in£  ^  lAi-  Corollary  5.12  and  Def.  5.4(1),  [A]  C  SN. 

2.  By  Lemma  5.20,  5  G  (S  o  f°)|n£  Q  [AJ,  and  by  Lemma  5.14,  [A]  C  SN. 

□ 

Finally,  we  prove  weak  normalization  on  well- typed  All/; -expressions. 

Theorem  5.22  (Weak  normalization).  Let  M  be  a  term  in  AIT^c  and  S  a  substitution  in  All/;. 

1.  If  E;T  h  M  :  A,  then  M  is  weakly  normalizing ,  and 

2.  if  E;T  I-  S  >  A,  then  S  is  weakly  normalizing. 

Therefore ,  M  and  S  have  XU c -normal  forms. 

Proof.  By  Lemma  2.1  there  exist  Mi,  Si  G  NT  such  that  M  — Mi  and  S  — ^  S\.  The  subject 
reduction  theorem  (Theorem  4.3)  states  that  typing  is  preserved  under  reductions.  Hence,  S;FhMi  :  A 
and  E;Th  S!>  A.  Therefore,  by  Lemma  5.21,  Mi  and  Si  are  both  in  SN.  Finally,  note  that  £II/;-normal 
forms  in  NT  are  AII/;-normal  forms,  too.  □ 

5.2.  Confluence.  The  Church-Rosser  property  states  that  if  two  well-typed  expressions  are  convertible, 
then  they  are  joinable.  The  confluence  property  states  that  all  the  reductions  of  a  well-typed  expression  are 
joinable. 

We  need  the  following  lemma  coined  in  [44]. 

Lemma  5.23.  Let  x  and  y  be  XHc-normal  forms  such  that  x  =\uc  V-  Then,  x  —  y  if 

•  x  is  a  term,  E;Fi  x  :  A  and  E;T2  F  y  :  B,  or 

•  x  is  a  substitution,  E;Ti  h  x  >  Ai,  E;T2  y  >  A2,  and  Ai  =\uc  A2. 

Proof  By  Lemma  3.2(3),  |x|  and  \y\  are  An°-normal  forms,  and  by  Lemma  3.2(1),  \x\  =aii°  \y\-  Since 
An£  is  confluent  (Theorem  3.7),  \x\  =  \y\  holds.  Finally,  we  proceed  by  structural  induction  on  x.  We  use 
the  fact  that  sub-terms  of  well-typed  normal  forms  are  well- typed  normal  forms.  The  only  interesting  case 
is  x  =  M[T).  Since  x  is  a  All^-normal  form,  only  two  cases  are  possible: 

•  M  =  1  and  T  =tn+1-  This  case  is  trivial,  since  by  Def.  3.1,  l[tn+1]  —  |I[tn+1]|-  Therefore,  x  =  y. 

•  M  —  X,  where  X  is  a  meta-variable  and  T  /t°-  By  hypothesis,  y  =  X[T\]  where  \T\  =  |Ti|.  By 

Lemma  3.3,  T  Tx.  Let  A  be  the  type  of  T  and  Ai  the  type  of  Ti.  By  the  inversion  of  rule 
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(Clos)  applied  to  x  and  y,  it  holds  that  X  is  well-typed  in  both  contexts  A  and  Ai.  By  inversion  of 
rule  (Metavar),  A  =xn£  Ai.  Thus,  by  induction  hypothesis,  T  =  Ti,  and  thus,  x  =  y. 

a 

The  above  property  is  not  valid  when  Ai  A2.  Take,  for  example,  the  context 
T  =  m:(T  0)  — >  nat.  0 :nat.  l:(Tln:nat.(T  n)).  T:nat  -4  Type.  nat:Type 
and  the  two  substitutions 

Si  =  [y  :=  (l  0)  -(T  x)  x  :=  0  -nat  t°] 

and 

Si  =  [y  :=  (/  0)  -(T0)  x  :=  0  -nat  t°]. 

By  Lemma  3.3,  Si  =\nc  S2-  Also, 

r  b  Si  >  y:(T  x).  x:nat.  T 

and 

Tb  S2  >  y:(T  0).  x:nat .  T. 

In  this  case,  the  well- typed  substitutions  Si  and  S2  are  =An£ -convertible,  but  they  are  not  identical. 

Theorem  5.24  (Church-Rosser).  Let  x  and  y  be  such  that  x  =An£  y>  Then ,  x  and  y  are  All c-joinable, 
i.e.,  there  exists  w  such  that  x  xnc„  w  and  y  XUc  +  w,  if 

1.  x  is  a  term ,  £;  Ti  b  x  :  A  and  S;  P2  b  y  :  B,  or 

2.  x  is  a  substitution S;rx  h  x  >  Ai,  S;T2  h  y  >  A2,  and  Ai  =An£  A2. 

Proof  By  weak  normalization  theorem  (Theorem  5.22),  there  exists  All/: -normal  forms  x '  and  yl  such 
All/:*  ** 

that  x - ►  x'  and  y  — A.  y'.  it  suffices  to  show  that  x'  =  y',  which  is  a  consequence  of  subject  reduction 

theorem  (Theorem  4.3)  and  Lemma  5.23.  □ 

Confluence  of  All c  is  a  consequence  of  the  Church-Rosser  property  (Theorem  5.24)  and  subject  reduction 
(Theorem  4.3). 

Corollary  5.25  (Confluence).  Let  x  be  an  arbitrary  well-typed  expression.  If  x  »  y  and  x  ~n c ►  £ 

for  some  y,z,  then  there  exists  w  such  that  y  —c »  w  and  z  —  w. 

Since  AIl£  enjoys  both  Church-Rosser  and  weak  normalization,  we  have  that  AII/:-normal  forms  on  well- 
typed  terms  always  exist  and  they  are  unique.  Thus,  the  equivalence  on  well-typed  expressions  is  decidable. 
Corollary  5.26  (Decidability).  The  equivalence  x  =An£  y  is  decidable  if 

•  x  is  a  term,  S;  Ti  b  x  :  A  and  S;  T2  b  y  :  B,  or 

•  x  is  a  substitution,  E;  Ti  b  x  >  A,  E;  T2  b  y  >  A. 

6.  Related  Work  and  Conclusion.  Explicit  substitutions  and  the  let-in  constructor  of  functional 
ML-style  programming  languages  have  similar  characteristics.  In  both  mechanisms  the  application  of  a 
substitution  to  a  term  can  be  delayed.  For  example,  let  x  :=  0  in  Xy:A.x  will  be  unfolded  to  Xy:A.O,  in  the 
same  way  that  (A y:A.x)[x  :=  0]  reduces  to  Xy:A.0.  In  their  simply-typed  versions,  explicit  substitutions  and 
let-in  constructors  act  in  the  same  way.  However,  in  dependent-type  systems,  the  relationship  between 
both  mechanisms  is  not  immediate. 
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To  illustrate  this,  let  us  take  the  typing  rule  for  closures  — explicit  applications  of  substitutions  to 
terms —  in  a  dependent-type  system: 


rbS>A  A  I-  M  :  A 
r  b  M[S ]  :  A[S] 


(Closn). 


Consider  the  context 


T  =  m:(T  0)  ->  nat.  0 :nat.  l:(Un:nat.(T  n )).  T:nat  -¥  Type.  nat:Type. 


Using  the  above  typing  rule,  the  term  (m  (l  x))[x  ~  0]  is  ill-typed.  This  is  because  the  information  that  the 
variable  x  will  be  substituted  by  0  in  (m  ( l  x))  is  not  taken  into  account  by  rule  (Closn).  Therefore,  the 
type  of  ( l  x)  is  (T  x),  but  not  (T  0)  as  expected  by  m.  On  the  other  hand,  the  same  term  can  be  written 
using  the  let-in  notation  as:  let  x  :=  0  in  (m  (l  x)).  This  term  is  well-typed  because  x  has  the  value  0  in 
(m  ( l  x)),  and  thus  let  x  :=  0  in  (m  ( l  x))  is  going  to  be  typed  as  (m  (l  0)). 

The  unfolding  of  definitions  before  typing  is  not  sufficient  when  we  admit  meta-variables.  The  reason  is 
that  substitutions  and  meta-variables  may  appear  in  normal  forms.  In  this  case,  we  cannot  avoid  having  a 
(Closn)’s  like  rule.  The  approach  we  have  taken  is  to  consider  explicit  substitutions  different  from  the  let-in 
mechanism.  The  explicit  substitution  technique  allows  substitutions  to  be  part  of  the  formal  language  by 
means  of  special  constructors  and  reduction  rules.  In  this  way,  the  term  (m  (l  x))[x  :=  0]  is  ill-typed,  just 
as  the  term  (A x:nat.(m  (l  x))  0)  is.  The  let-in  structure  has  a  more  complex  behavior.  It  provides  a 
mechanism  for  definitions  in  the  language.  Formal  presentations  of  type  systems  with  definitions  are  given 
in  [41,  3]. 

Some  type  theories  extended  with  explicit  substitutions  have  been  proposed:  The  Simple  Type  Theory 
[1,  27,  8,  21,  6],  the  Second-Order  Type  Theory  [1],  the  Martin  Lof  Type  Theory  [43],  the  Calculus  of 
Constructions  [39],  and  Pure  Type  Systems  [2].  Except  for  the  simply-typed  version  of  Xa  in  [8],  neither  of 
them  considers  terms  with  meta-variables  as  first-class  objects. 

Our  main  contribution  is  the  complete  meta-theoretical  development  of  a  dependent-type  system  with 
explicit  substitutions  which  handles  explicitly  open  expressions  (i.e.,  expressions  with  meta- variables).  The 
system  enjoys  the  usual  typing  properties:  type  uniqueness,  subject  reduction,  weak  normalization,  and 
confluence.  Applications  of  such  a  calculus  are  frameworks  for  the  representation  of  incomplete  proofs,  and 
first-order  settings  for  higher-order  unification  problems. 

In  this  paper,  we  have  presented  the  All-theory.  Although  full  polymorphism  or  inductive  definitions  are 
not  considered  in  this  theory,  the  main  difficulties,  due  to  the  mutual  dependence  between  terms  and  types, 
already  arise  in  All.  Other  theories,  such  as  the  Calculus  of  Constructions,  can  be  considered  as  the  logical 
framework  for  All/;  [34],  Note  also,  that  All/;  does  not  handle  the  77-rule.  Extensional  versions  of  explicit 
substitution  calculi  have  been  studied  for  ground  terms  [24].  However,  work  is  necessary  to  understand  the 
interaction  with  dependent  types  and  meta-variables. 
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